[German]Microsoft has issued a security alert as of November 17, 2021, disclosing a vulnerability in Microsoft Azure AD. This allows information to be retrieved from the Microsoft Azure Actice Directory (AD).
Advertising
I was alerted to the issue by Microsoft via email in a security bulletin. The vulnerability CVE-2021-42306 is rated as important (CVSS score of 8.1).
***************************************************************
Title: Microsoft Security Update Revisions
Issued: November 17, 2021
***************************************************************
Summary
=======
The following CVE has been published to the Security Update Guide.
================================================================
* CVE-2021-42306
– CVE-2021-42306 | Azure Active Directory Information Disclosure Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: November 17, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: Important
Advertising
Vulnerability CVE-2021-42306 allows information disclosure and occurs when a user or application uploads unprotected private key data as part of an keyCredential authentication certificate to an Azure AD application or service principal (which is not recommended). This vulnerability allows a user or service in the application read access tenant to read private key data added to the applications.
The vulnerability in Azure AD has been fixed by preventing the disclosure of private key values added to the application. Microsoft has identified the services that could cause this vulnerability and the actions customers should take to protect themselve.
Running Automation accounts created between 10/15/2020 and 10/15/2021 with a self-signed Azure Automation certificate and not renewed are affected. Regardless, customers using their own certificates could be affected. This is true regardless of the certificate renewal date. To identify and remediate affected Azure AD applications associated with affected executing accounts, please navigate to this [link to Github repo]. In addition, Azure Automation supports managed identities (GA announced in October 2021). Migrating from executing accounts to managed identities mitigates this issue.
Microsoft specifies other affected services related to CVE-2021-42306,but writes that exploitation is unlikely. Security researchers at NetSPI, which specializes in enterprise penetration testing and identified the vulnerability, write here that an attacker could exploit the flaw to elevate the privileges to contribute to any subscription with an automation account and access resources in the affected subscriptions. Security Week has published a summary article on the topic.
